Security a big concern

Whenever you develop a dynamic website like a forum, community site, ecommerce site, etc. Security is something that you need to take into account. This holds true also for any kind of functionality that you add to your site using scripts.

Security holes

The same scripts that make things easier for you, are the ones who make your site open to security holes. Sometimes developers find them before a malicious user can exploit them, but often you know about them for the reports of hacked sites.

But the scripts are not the only ones responsible for security holes, the platform where you run them counts too, your operating system, http server, database server and your programming engine.

Steps to counteract security risks

Backup often. Depending on your site's activity and the importance of the data, you can make daily, weekly, biweekly or monthly backups.

Do not install scripts or complete web applications before searching for security reports about them. Always make sure you have the latest stable version available.

Once installed you will need to keep your scripts, web applications and running platform up to date. Install bug fixes, security fixes and version upgrades as soon as they become available.

Do not to modify a script without knowing the implications regarding security.

Am I Paranoid?

When I developed only static sites I didn't notice any real threat. But now that I only manage dynamic websites, with realtime reporting on site's activity, I realized the threat of having poorly security designed websites.

As recorded on my sites' logs people trying to exploit security holes are running bots using anonymous proxy servers to test sites for vulnerabilities. Because of the use of anonymous proxy servers they cannot be blocked by their IP addresses.

Some examples of the tests they run are:

  • Checking the existance of a variety of sending mail scripts.
  • Issuing known commands or queries to exploit security holes specific to some scripts and web applications.
  • Leaving automatic spam comments.